Over the last couple of months, there has been an interesting debate in Canada and the US about whether an employer can ask for a social media password. For some of the highlights of the conversation in Ontario, see:

South of the Border

The issue originally hit the headlines when the American Civil Liberties Union complained on behalf of a Maryland correctional officer.  The ACLU uploaded a video on YouTube and asserted that the employee’s privacy rights had been violated when his employer turned to the employee during a re-certification interview and demanded his Facebook password. Maryland has since passed the first US law prohibiting employers from demanding social media login information.

California, Illinois, Texas, Washington and New York have also introduced social media privacy bills, and earlier this week, the Password Protection Act of 2012 was introduced at the federal level to prohibit employers from demanding social media login information as a condition for employment.

So Should Canadian Employers Ask for Social Media Passwords?

At this point, only Nova Scotia has introduced a bill banning employers from asking for social media passwords.  The first reading was in April, so it is only in at the beginning of the process.

Last week, the Ontario Office of the Information and Privacy Commissioner introduced a guideline recommending against employers asking for social media passwords.  Other provincial privacy commissioners have published similar guidelines about social media background checks.

At this point, however, there is no specific law on the issue in Canada.

I personally come down on the side of those who see this as a very, very bad idea for employers to consider, and yet if an employer merely gathers the data and does nothing with it in Ontario, it probably isn’t a technical legal violation.  (See my blogs posts here and here on the privacy law gap for Ontario employee information.)

For provinces such as British Columbia, Alberta and Quebec with provincial privacy legislation, employee personal information has greater protections and asking for such information will likely cross the legal line.

Even in Ontario without specific protections for employee personal information, the problem is, of course, that for most employers, it will be very tempting to quietly pass on the candidate whose online profile indicates she is 4 months pregnant, highly politically charged, controversial, clearly a bit of a drunk (while pregnant!!), has sued her last 10 employers and believes working Friday afternoons should be banned in Canada. If the employer were conducting a regular interview, most of this information – some protected under the Human Rights Code, some not – would remain unknown until she starts running amuck in the workplace. I get why an employer would want to avoid the situation, but there are just too many landmines to worry about when demanding a social media password during an interview.

Terms of Service

The focus of the debate has been correctly centred on the discrimination and privacy concerns. Another issue receiving some, but not enough, attention is the extent to which the social media platforms themselves permit this use. Users enter into a contract with the social media in order to use their service. The services may be free, but no less legally binding.

By demanding that a candidate hand over his or her social media password information, an employer is asking that candidate to breach the terms of service with the social media provider.  Facebook itself issued a statement in March condemning the practice and advising users they should not reveal their login information.

The Facebook Statement of Rights and Responsibilities includes the following statements:

  • 3(5) – You [User] will not solicit login information or access an account belonging to someone else.
  • 3(10) – You [User] will not use Facebook to do anything unlawful, misleading, malicious, or discriminatory.
  • 4(8) – You [User] will not share your password, (or in the case of developers, your secret key), let anyone else access your account, or do anything else that might jeopardize the security of your account.

Not only is the candidate prohibited from sharing his or her password, but should the HR Manager conducting the interview happen to have a Facebook account, he or she would be violating the Terms of Service of his or her own account by soliciting the login information of someone else. Arguably he or she is doing so on behalf of the employer, so vicarious liability arguments could come into play. Should there be clear company policy prohibiting the practice, however, an employer could argue that the rogue HR Manager was acting beyond his or her duties.

Either way, it all gets so messy. Why ask for the hassle for information that is frequently inaccurate, dated and irrelevant, particularly when you usually cannot legally use the more juicy information in the first place?

Dan Michaluk’s Best Practices

If you do intend on asking for social media passwords, I suggest you review Dan Michaluk’s useful “employer-friendly” post on his All About Information blog, which includes the following best practices in managing the legal risks associated with conducting social media background checks:

  1. Check at the end of the hiring process. This is a background check, not an evaluative process. It should come as the next to last step in the hiring process.
  2. Check only when there is a demonstrable need. What’s the need? What are the alternatives? Why is this the better alternative? Document your needs analysis.
  3. Search based on objective criteria. It will be very hard to establish the validity of a profiling exercise – i.e., an exercise in which you attempt to draw broad inferences about job performance or trustworthiness based on social media activity. Unless you have a qualified expert prepare a defensible predictive model, don’t profile. Look for objective behaviors that raise legitimate concerns in light of job responsibilities. For example, you may look for statements that a candidate for a sales or marketing position has made critical comments about your company or industry that are incompatible with becoming a representative of the company.
  4. Have someone other than the decision-maker search. This is a means of ensuring that the decision-maker does not see irrelevant information that may be related to a personal characteristic that is protected by anti-discrimination legislation.
  5. Direct a written report to the decision-maker. The report (which contains only feedback on the objective search criteria) goes in the hiring file and is part of the formal record upon which the hiring decision is made. This record is designed to assist in the defence of discrimination claims and is a record of due diligence. It makes the actual (forensic) record of the internet search irrelevant to a discrimination claim, which should minimize e-discovery risks.
  6. Validate negative information. Positively identifying the author of internet publications can be difficult. Validate authorship and seek an explanation.

This Too Shall Pass

Given the number of legal and practical risks, employers should be careful what they wish for. Should you feel it essential to wade into this dodgy, dangerous water, be prepared for the potential consequences.

From what I can tell anecdotally, few employers actually ask for social passwords so let’s hope this pseudo-storm will pass over as we figure out how to integrate social media into the workplace in a manner that works for both employers and employees.

Are you an employer that finds it necessary to ask for your employee’s social media passwords?  I’d love to hear your perspective, given the prevalence of the anti-password and login information voice.